Durian Malware Linked to Kimsuky North Korean Threat Actor

The North Korean threat group known as Kimsuky has been observed using a new Golang-based malware called Durian in targeted cyber attacks against two South Korean cryptocurrency companies. According to security researchers, Durian is a previously undocumented malware with advanced backdoor capabilities allowing it to execute commands, download files, and exfiltrate data.

The attacks occurred in August and November 2023 and involved the exploitation of legitimate South Korean software to infiltrate systems, although the specific method used to compromise the software remains unclear. What is known is that this software establishes a connection to the attackers' server to retrieve a malicious payload, initiating the infection process.

Infection Chain of the Durian Malware

The initial stage serves as an installer for additional malware, establishing persistence on the host and paving the way for a loader malware that ultimately executes Durian. Durian, in turn, is used to introduce more malicious software, including Kimsuky's preferred backdoor, AppleSeed, a custom proxy tool named LazyLoad, and legitimate tools like ngrok and Chrome Remote Desktop.

Researchers noted that the attackers aimed to steal browser-stored data such as cookies and login credentials. A notable aspect of the attack was the use of LazyLoad, previously associated with Andariel, a sub-group within the Lazarus Group, suggesting potential collaboration or overlap between threat actors.

Kimsuky has been active since at least 2012 and is also known by other names including APT43, Black Banshee, Emerald Sleet (formerly Thallium), Springtail, TA427, and Velvet Chollima. The group is believed to operate under the 63rd Research Center, a division of North Korea's Reconnaissance General Bureau (RGB), the country's premier military intelligence agency.

The primary objective of Kimsuky actors, as highlighted by the U.S. FBI and NSA in a recent alert, is to gather stolen data and valuable geopolitical insights for the North Korean regime by compromising policy analysts and other experts.

By Zaib
May 13, 2024
Computer Security
English
May 13, 2024
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Malware

North Korean Hackers Reveal the Goldbackdoor Malware

North Korea's hacking groups are among the most notorious cybercrime organizations in the world. The majority of their attacks are either financially or politically motivated. One of the latest payloads they use is... Read more

April 27, 2022
Android Malware

FastViewer Android Malware Linked with North Korean Threat Actor

A team working with mobile security firm Talon Cyber Security identified a new trio of malicious packages targeting Android devices. All three malware packages are linked to a threat actor operating out of North Korea... Read more

November 2, 2022
Malware

North Korean Hackers Target Cryptocurrency Traders with TraderTraitor Malware

North Korean cybercriminals often engage in financially-motivated attacks, which enable them to siphon funds into their country, and using them to further the development of various controversial programs, such as the... Read more

April 20, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.